[Zope] Zope and SSL

[Rob Page]

Hi Joachim:

> In http://www.egroups.com/group/medusa/47.html I read about 
> using "STunnel"
> (http://mike.daewoo.com.pl/computer/stunnel/) to add SSL 
> functionality to Medusa.
> 
> As ZServer is derived from Medusa, this should work for Zope, too.
> 
> Has anyone tried to use this combination? Any experience? I'm 
> asking because I like the idea of having ONLY ZServer running as a web
server, 
> not a combination of ZServer and Apache. The only thing I'd need
Apache (or 
> Roxen) for, would be the SSL support.
> 
> BTW: Is native SSL support planned for ZServer?

Chris Petrilli, our local security story manager is working on a number
of different projects.  Lest this go unanswered I'll pipe in....  If you
want to ask a question, ask him!  :^)

Historically, incorporating encryption into Zope has been a real
obstacle for us for the following reasons:

(1)  it ain't easy, 
(2)  US export restrictions on the cryptographic software/tools

With yesterday's significant announcement by the US Govt:

http://www.infobeat.com/stories/cgi/story.cgi?id=2563227804-a95

it looks like (2) will no longer be an issue.  However, (1) still is...
and (1) is a BIGGIE.  To really use SSL for both server AND client
identification/authentication there is a LOT to do.  I'm not sure that
we've got the bandwidth (funded or not) to do this in the foreseeable
future.

Naturally, if there was a funded effort we could at least look at what
it would take.  Alternatively, we could provide advice and guidance to
any person or group that wanted to take this project on (with a serious
intent to finish).

--Rob